Monday, August 22, 2022

[FIXED] How to configure spring boot to validate JWT token with call instropection endpoint of authorization server

August 22, 2022 jwt, spring-boot, spring-security, spring-security-oauth2

Issue

I have simple resource server application with spring boot, this is yaml file:

server: 
  port: 8081
  servlet: 
    context-path: /resource-server-jwt

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: http://localhost:8083/auth/realms/rasool

Now, i want to make change in configuration or code to force spring security to validate JWT token with calling introspection endpoint of authorization server instead of local validation with keys, but i didn't find any way as spring security docs says.

Solution

Spring-boot spring.security.oauth2.resourceserver.jwt.* configuration properties are for JWT decoder.

For token introspection, use spring.security.oauth2.resourceserver.opaque-token.* properties instead (token being in whatever format, including JWT). "opaque" means that tokens are considered a "black-box" by resource-server which delegates validataion and attributes retrieval to authorization-server on introspection endpoint:

server: 
  port: 8081
  servlet: 
    context-path: /resource-server-jwt

spring:
  security:
    oauth2:
      resourceserver:
        opaque-token:
          introspection-uri: http://localhost:8083/auth/realms/rasool/protocol/openid-connect/token/introspect
          client-id: change-me
          client-secret: change-me

Introspection uri from .well-known/openid-configuration

If you are using Java configurationn the switch is about the same: replace http.oauth2ResourceServer().jwt()... with http.oauth2ResourceServer().opaqueToken()...

A few notes about declared clients on authorisation-server

Resource-servers introspect token on authorisation-server introspection endpoint using client-credentials flow: for each and every request it process, resource-servers will send a request to authorization-server to get token details. This can have serious performance impact. Are you sure you want to switch to token introspection?

As a consequence, in the properties above, you must configure a client with:

"Access Type" set to confidential
"Service Accounts Enabled" activated

Create one if you don't have yet. You'll get client-secret from "credentials tab" once configuration saved.

Note you should have other (public) clients to identify users (from web / mobile apps or REST client) and query your resource-server on behalf of those users.

From the authorization-server point of view, this means that access-tokens will be issued to a (public) client and introspected by antoher (confidential) client.

Complete working sample here

It does a few things useful for resource-servers:

authorities mapping (choose attributes to parse user authorities from, prefix & case processing)
CORS configuration
stateless-session management
CSRF with Cookie repo
anonymous enabled for a list of configured public routes
401 (unauthorized) instead of 302 (redirect to login) when trying to access protected resources with missing or invalid Authorization

Answered By - ch4mp
Answer Checked By - Mary Flores (JavaFixing Volunteer)

This Answer collected from stackoverflow and tested by JavaFixing community admins, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0